Fake Royal Bank Of Canada RE: Instructions De Transfert Delivers Trickbot


This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “RE: Instructions de transfert ” pretends to come from RBC Royal Bank of Canada but actually comes from “3SERVICEGROUPMTL3@R0YALBANK.COM” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. You need to look very carefully to see the 0 (zero) in the fake domain name instead of the O.

It is slightly clearer in lowercase, but still close enough to confuse many recipients (r0yalbank.com.). This is why the criminals have used upper case in the from line today. These have a malicious office file attachment. Today they are using XLSM Excel spreadsheet files.

These are obviously aimed at French Canadian speakers. The main content of the email is written in French, not English. There also seem to be a few changes to the trickbot binaries and modules again today.

RBC Banque Royale, Banque Royale du Canada, Royal Bank of Canada has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.

What has happened is that the criminals sending these have registered various domains that look like the genuine Company, Bank, Government Department or message sending service. Normally there is only one newly registered domain that imitates a well known Company, Government Department, Bank or other organisation that can easily be confused with the genuine body or website in some way. These are hosted on & send the emails from 3 or 4 different servers. Some days however we do see dozens or even hundreds of fake domains.

Today’s example of the spoofed domain is, as usual, registered via Godaddy as registrar. Because of new GDPR rules we cannot easily find the registrants name or any further details.

R0YALBANK.COM hosted on & sending emails via | | | |

You can now submit suspicious sites, emails and files via our Submissions system

Email Details

From: Commercial Service Team MTL 3 <3SERVICEGROUPMTL3@R0YALBANK.COM>

Date: Mon 11/02/2021 18:02

Subject: RE: Instructions de transfert

Attachment: Instructions.xlsm

Body Content:


Afin de compléter votre demande, nous avons besoin de vous pour compléter la lettre ci-jointe avec instructions ou transférer les fonds et signataires autorisés.

Vous pouvez mettre le compte à zéro et nous faire parvenir un courriel avec deux des signataires en copie conforme.

Merci et Bonne Journée

Si tu as besoin de plus d’informations, n’hésite pas a m’appeler.

Céline Henderson

Rosa Cho, Céline Henderson, Sophie Savoie & Josiane Wong Kee Song │ Conseiller service commerciaux, équipe service à la clientèle commerciale│ RBC Banque Royale │ Banque Royale du Canada │1 Place Ville Marie – 2e étage, aile Ouest, Montréal QC, H3C 3A9│Tél: 1-877-421-4865 (Opt 1-1-3 ) │

If you received this email in error, please advise the sender (by return email or otherwise) immediately. You have consented to receive the attached electronically at the above-noted email address; please retain a copy of this confirmation for future reference. You may unsubscribe from promotional emails.

Si vous recevez ce courriel par erreur, veuillez en aviser l’expéditeur immédiatement, par retour de courriel ou par un autre moyen. Vous avez accepté de recevoir le(s) document(s) ci-joint(s) par voie électronique à l’adresse courriel indiquée ci-dessus; veuillez conserver une copie de cette confirmation pour les fins de reference future. Vous pouvez vous désinscrire de la liste d’envoi de courriels promotionnels.


Fake RBC email

Malware Details

Fake RBC spreadsheet

Instructions.xlsm Current Virus total detections | Hybrid Analysis | Anyrun which for some reason only sees the first url sgc-fl.com and didn’t roll over to the second one when it got a bad reply. |However it did when I used fakenet & MITM ( anyrun) I assume that this is probably due to a badly written macro / powershell script where it will only roll over to the alternate download location if the first url fails to respond at all, not when the site is suspended or the actual file can’t be found..

This malware xls file downloads from http://isgno.net/ca.kabs which is a renamed .exe file VirusTotal | Anyrun [1] [2] [3] [4] | Gtag ser 0211us

Running this file via various settings in Anyrun gives some slightly different results

  • [1] using MITM shows a DNS request to a tor site 6lwyu54ybblfuex6.onion but not much else ( I don’t think I left it running long enough) Rerunning this using MITM [4] does show a lot more ssl connections
  • [2] using Tor with a CA exit node shows a full run but no actual tor connections.
  • [3] using no interception or tor shows the same full run as [2] and the same tor site DNS request


There are also some changes to the downloaded addition versions of Trickbot:- Radiance.png (virustotal) which is copied to the SysDefrag folder as both log_install.tmp and dbase.dat. Then we have table.png (VirusTotal) both of which which looks like new versions today

The alternate Download location is http://sgc-fl.com/ca.kabs which was very quickly suspended by the hosting company

The folder for the files & configs is: C:\Users\[User]\AppData\Roaming\SysDefrag

Looks like they have kept on using the psfin64 ( point of sale stealing )module again today along with the other usual components we are used to seeing. PSfin64 was first seen in November 2018 but only briefly. Then Brad Duncan noticed it appearing again about 1 week ago.

Screenshot of modules and configs as shown by anyrun

All modern versions of word and other office programs, that is 2010, 2013, 2016 and 365, should open all Microsoft office documents that is Word docs, Excel spreadsheet files and PowerPoint etc that are downloaded from the web or received in an email automatically in “protected view” that stops any embedded malware, macros and DDE “exploit /Feature” and embedded ole objects from being displayed and running.

Make sure protected view is set in all office programs to protect you and your company from these sorts of attacks and do not over ride it to edit the document. If the protected mode bar appears when opening the document DO NOT follow the advice they give to enable macros or enable editing to see the content. The document will have a warning message, but you will be safe.

Be aware that there are a lot of other dodgy word docs spreading that WILL infect you with no action from you, if you are still using an out dated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007. Many of us have continued to use older versions of word and other office programs, because they are convenient, have the functions and settings we are used to and have never seen a need to update to the latest super-duper version.

The risks in using older version are now seriously outweighing the convenience, benefits and cost of keeping an old version going.

What Can Be Infected By This

At this time, these malicious macros only infect windows computers. They do not affect a Mac, IPhone, IPad, Blackberry, Windows phone or Android phone.

The malicious word or excel file can open on any device with an office program installed, and potentially the macro will run on Windows or Mac or any other device with Microsoft Office installed. BUT the downloaded malware that the macro tries to download is windows specific, so will not harm, install or infect any other computer except a windows computer. You will not be infected if you do not have macros enabled in Excel or Word. These Macros, embedded Oles or DDE do not run in “Office Online” Open Office, Libre Office, Word Perfect or any other office program that can read Word or Excel files.

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware. Also please read our post about word macro malware and how to avoid being infected by them

I strongly urge you to update your office software to the latest version and stop putting yourself at risk, using old out of date software.


Main object- “Instructions.xlsm”
sha256 d8261ce7b29193b64efec094dffdcc51774cd1473e679ca407b4e37af9e7ee4c
sha1 7243454847fa71a7ca839af3b1e0009bc1c93d92
md5 a498ba99ea588b7bdd15d0e67eb2abbe
DNS requests
domain isgno.net
domain sgc-fl.com
HTTP/HTTPS requests
url http://sgc-fl.com/ca.kabs
url http://isgno.net/ca.kabs

Main object- “ca.kabs”
sha256 0ae7ecf17252b7e4ced063340bb1fdcce7d7c88618b458e49eadbd04037f2d72
sha1 f825b9ad629ef9c8db7218d46853ce7aed7f87eb
md5 e7a5aba218929dabdbcb338bf9304f3a
Dropped executable file
sha256 C:\Users\admin\AppData\Roaming\SysDefrag\log_install.tmp e65a10fc594bf4ff7e577e9edd0eed5800ab9fcf589452b384d633c715ca800c
DNS requests
domain ipinfo.io
HTTP/HTTPS requests
url http://ipinfo.io/ip
MD5 B2A6C31A3054CBC9DBB4777757192A05
SHA1 6FD936CDE39A665F9E4BD9DF37006D988928E43E
SHA256 E65A10FC594BF4FF7E577E9EDD0EED5800AB9FCF589452B384D633C715CA800C
MD5 C70AFE2C198A98E9AD8479EAA0ACC845
SHA1 DE4A18706B1B3E68EE31F7B34DD712FABDD5804F
SHA256 3508020279FFBADEC4BB0E1884464E0D23CD93332271780165F0E7DAC40049A8

Email from:

Leave a Reply

Your email address will not be published.

Related Posts